BIT-parse-2026-39321
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-39321.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-parse-2026-39321
- Aliases
-
- CVE-2026-39321
- GHSA-mmpq-5hcv-hf2v
- Published
- 2026-04-09T14:37:40.125Z
- Modified
- 2026-04-09T15:41:17.456486561Z
- Summary
- Parse Server has a login timing side-channel reveals user existence
- Details
-
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0 and 8.6.74.
- Database specific
{ "severity": "Medium", "cpes": [ "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*" ] }- References
Affected packages
Bitnami / parse
Package
- Name
- parse
- Purl
- pkg:bitnami/parse
Severity
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator